-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stored XSS in profile page #797
Comments
Thank you for pointing out. We’re looking into an xss library to be used to clean the data
Very soon we will update.
… On 18-Jul-2018, at 4:35 PM, DrStacheWH ***@***.***> wrote:
Description:
Cross-site scripting (XSS) vulnerability in Gleez CMS allow remote attackers (users) to inject arbitrary Javascript or HTML via the profile page editor, which will result in a Stored XSS on his public profile.
Vulnerability Type: Stored XSS
Attack Vectors:
Go to your profile page editor https://demo.gleezcms.org/user/edit
Set your home page URL to : http://x.x/<svg onload=alert(document.cookie)>
Now when someone will check your profile page, alert(document.cookie) will be executed.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
ghost
changed the title
Stored XSS in profil page
Stored XSS in profile page
Jul 19, 2018
Has there been an update regarding this vulnerability? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description:
Cross-site scripting (XSS) vulnerability in Gleez CMS allow remote attackers (users) to inject arbitrary Javascript or HTML via the profile page editor, which will result in a Stored XSS on his public profile.
Vulnerability Type: Stored XSS
Attack Vectors:
http://x.x/<svg onload=alert(document.cookie)>
Now when someone will check your profile page,
alert(document.cookie)
will be executed.The text was updated successfully, but these errors were encountered: